VegaLocker
VegaLocker or Vega is a ransomware that runs on Microsoft Windows. It was discovered bt Amigo-A. It uses a note that is similar to Scarabey's note. It is aimed at Russian-speaking users. It was later renamed to Buran. Behavior Unlike other viruses of this type, however, VegaLocker does not append any extension or rename files in any other way. Payload Transmission VegaLocker is distributed by hacking through an insecure RDP configuration, using email spam and malicious attachments, deceptive downloads, botnets, exploits, web injects, fake updates, repackaged and infected installers. Infection Once VegaLocker has been installed, VegaLocker targets the user-generated files, overwriting them with encrypted files and removing the Shadow Volume Copies of the affected files to disable this method of recovery. VegaLocker attack targets a wide variety of file types, which may include media files, databases, documents, and numerous other file types. The files that threats like VegaLocker target in these attacks include: .jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar. VegaLocker demands a ransom payment after encrypting the victim's files. To do this, VegaLocker delivers a ransom note in the form of text files named 'ABOUT YOUR FILES.TXT' and 'Your files are now encrypted.txt,' which it will drop on the infected computer. These files deliver a ransom message written in Russian, demanding a ransom payment from the victim in exchange for the decryption key. VegaLocker's ransom message translated to English reads: ATTENTION, YOUR FILES ARE ENCRYPTED! Your documents, photos, databases, game saves and other important data was encrypted with a unique key that we have. To restore data, you need a decryptor. You can restore files by writing us to email: e-mail: sprosinas@cock.li e-mail: sprosinas2@protonmail.com Send us your ID token and 1-2 files, the size should be no more than 1 MB. We will restore them to prove there is decryption available. After the demonstration, you will receive payment instructions, and after payment you will receive a decryptor program that will restore your files completely without issues. IF you can't reach us via e-mail: Go to the site: https://bitmessage.org/wiki/Main_Page and download the e-mail client. Run the e-mail client and create an address. Send us an e-mail to: BM-2cVK1UBcUGmSPDVMo8TN7eh7BJG9jUVrdG (including your address) and we will contact you. Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Win32 trojan Category:Microsoft Windows Category:Trojan Category:Virus Category:Win32 virus